Related Tips & Info

Fixing Multiple Interface Problems with Tomcat on Novell Access Manager 3.0.1

MigrationDeletedUser
0 Likes

Problem



I recently had an issue with accessing my IDP server. I had configured it with a private address on eth0 and a public address on eth1. When Tomcat is installed, it uses the IP address of the first interface (eth0) to listen on. On a two-interface system, this makes accessing the protected resources impossible from the public Internet.



Attempting to authenticate through the IDP server would result in a "100101044" error at the browser. Looking at the output of the /var/opt/novell/tomcat4/logs/catalina.out file, the following would be displayed:



<amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105024: AMDEVICEID#esp-138B98BC4E339237: 
AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: ESP is requesting metadata from IDP 
https://idp-neil.novell.com/nidp/idff/metadata </amLogEntry>

<amLogEntry> 2007-08-15T19:45:17Z SEVERE NIDS IDFF: AM#100106001: AMDEVICEID#esp-138B98BC4E339237: 
Unable to load metadata for Embedded Service Provider: https://idp-neil.novell.com/nidp/idff/metadata, 
error: Connection refused </amLogEntry>

<amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105039: AMDEVICEID#esp-138B98BC4E339237:
AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: Error on session id 8227B4A17333BFB621976C2AB734E8CE, 
error 100101044-esp-138B98BC4E339237, Unable to authenticate. AM#100101044: AMDEVICEID#esp-138B98BC4E339237: : 
Embedded Provider failed to load Identity Provider metadata </amLogEntry>



Solution



Here's how you resolve the issue ...



1. Open a command line on the IDP server and edit the file /var/opt/novell/tomcat4/conf/server.xml.



2. Search for the 8443 and 8080 strings to locate the identity server connector information.



Here's an example connector from a setup that only listens on IP address 192.168.1.19.



<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8080" 
minProcessors="5" maxProcessors="200" enableLookups="false"
redirectPort="8443" acceptCount="0" debug="0"
connectionTimeout="20000"
useURIValidationHack="false "disableUploadTimeout="true"
address="192.168.1.19" URIEncoding="utf-8" useBody
EncodingURI="false" />



3. Remove the "address=" string. This will force tomcat to listen on all interfaces.
Make sure that you do this for both the connectors on 8080 and 8443.



4. Save the file and restart Tomcat:

/etc/init.d/novell-tomcat4 restart



This is the output of netstat to test for change results:



linuxlab5:/ # netstat -patune|grep -i listen|grep 443

tcp	0  	0 147.2.16.109:443	0.0.0.0:*	LISTEN   0 13446	  7420/stunnel
tcp	0	0 147.2.16.109:1443	:::* 		LISTEN   0 14759  6644/java
tcp	0	0 :::8443		:::*		LISTEN	100	17071		9056/java



What you want to see when the "Address" field is removed is that we listen out on 0 ie. all addresses:



tcp	0	0 :::8443	:::*	LISTEN	100	17071		9056/java



In the case where we specifically listen out on a single IP address, you will see this:



tcp	0	0 147.2.16.109:443:8443	0.0.0.0:*	LISTEN 100 17071  9056/java

Labels:

How To-Best Practice
Comment List
  •  
    thanks man, had a similar issue with the Access Management Administration Console.
    this worked a treat and saved me a tonne of time trying to work it out ;)
    cheers again.
Related
Recommended

Resources

Support
Documentation
Training
CyberRes Academy
Partner Portal
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
How To Buy
Careers
Investor Relations
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.